Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
04-02-2021 14:39
Static task
static1
Behavioral task
behavioral1
Sample
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
Resource
win7v20201028
General
-
Target
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe
-
Size
35KB
-
MD5
1270d03503499a3dc08a3d959ded61f5
-
SHA1
965b86352f0a5aea6969be8466e5318a0152b32a
-
SHA256
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
-
SHA512
418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
Malware Config
Signatures
-
Phorphiex Payload 2 IoCs
Processes:
resource yara_rule C:\306058291892\svchost.exe family_phorphiex C:\306058291892\svchost.exe family_phorphiex -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 3268 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\306058291892\\svchost.exe" 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\306058291892\\svchost.exe" 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exedescription pid process target process PID 4648 wrote to memory of 3268 4648 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 4648 wrote to memory of 3268 4648 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe PID 4648 wrote to memory of 3268 4648 329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe"C:\Users\Admin\AppData\Local\Temp\329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\306058291892\svchost.exeC:\306058291892\svchost.exe2⤵
- Executes dropped EXE
- Windows security modification
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\306058291892\svchost.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
C:\306058291892\svchost.exeMD5
1270d03503499a3dc08a3d959ded61f5
SHA1965b86352f0a5aea6969be8466e5318a0152b32a
SHA256329ea43f5027e79bb3151ce827fadbc6173a84218fd984ae4a4b44b478411339
SHA512418bda6ff2b2ca398372a7311605360e2e6f2506d083a26234bac19387e8ea60ad7c72fce35f439134fb70fb983f233e2748c868b75de61a40ff27cbe4a9984d
-
memory/3268-2-0x0000000000000000-mapping.dmp